Using Web Security Scanner

This page shows you how to review Web Security Scanner managed scan findings in the Security Command Center dashboard, and includes examples of Web Security Scanner findings. Web Security Scanner is a built-in service for the Security Command Center Premium tier. To view Web Security Scanner findings, it must be enabled in Security Command Center Services settings.

The following video shows the steps to set up Web Security Scanner and provides information about how to use the dashboard. Learn more about viewing and managing Web Security Scanner findings in text later on this page.

Learn more about how Web Security Scanner works.

Reviewing findings

When Web Security Scanner generates findings, you can view them in Security Command Center. Web Security Scanner scans can take up to 24 hours to start after the service is enabled and run weekly after the first scan.

Reviewing findings in Security Command Center

To review Web Security Scanner findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Web Security Scanner.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The affected URL
  5. A scan can produce findings from several base URLs. To display all findings associated with a given URL in a scan:
    1. On the finding detail panel, copy the URL next to externalUri.
    2. Close the finding detail panel.
    3. In the Findings tab Filter box, enter externalUri:affected-uri, where affected-uri is the URL you copied previously.

Security Command Center displays all of the findings that are associated with the URL that you provided.

Example findings

Example Web Security Scanner managed scan findings include the following:

Table A. Web Security Scanner managed scan finding types
Vulnerability Description
Mixed-content A page that was served over HTTPS also serves resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or monitor users' actions.
Clear text password An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
Outdated Library

The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.

Web Security Scanner identifies some vulnerable versions of the following popular libraries:

This list is updated periodically with new libraries and updated vulnerabilities as applicable.